IAM in a Cosmopolitan World

A guide to understanding basic IAM concepts by exploring the captivating universe of an online magazine.

Summer had just begun. Butterflies were gracefully dancing among purple petunias. Lumina team, the family of the best online lifestyle magazine was ready to conquer the world.

Part I: Outside Lumina

Rose Kelly is an 18-year-old girl who’s struggling to find her passion in an ever-changing world. On a warm summer morning, she came across an online magazine. Little did she know that this moment would be remarkable in her monotonous life.

Hoping to see the sensational content of Lumina, she created an account for her. After entering her username and password she was able to witness the most beautiful cover page of a magazine she had ever seen.

This is Authentication. The lumina team was making sure that Rose was actually Rose Miranda Kelly (Social Security Number — 334 600 901, Age — 24, Location — California West)

She was distracted by a notification on her mobile 📲

The Lumina team was already excited about their new customer 🤩. When they asked Rose to enable Multi-Factor Authentication (MFA), equally excited Rose quickly enabled it to secure her account.

MFA (This is what Rose enabled)

Something Rose Knew — The Password

Something Rose Had — The One-Time Password (OTP) sent to her mobile

Something Rose Is — Her fingerprint

Being a fashion enthusiast Rose browsed the last Spring collection of all the renowned brands for hours. But when she tried to view the upcoming Winter collection with dazzling eyes, she was not allowed as she was not a premium member.

This is Authorization. Rose was only able to access the content that was allowed under her permission and privilege level. (She was indeed sad 😔)

Part II: Inside Lumina

In Lumina headquarters, the CEO Lily Martinez entered the building with a “Devil Wears Prada” entrance. With an Iced Mocha in one hand, she logged into their Lumina system. As the CEO of one of the most elite companies in the entire world of course she had MFA enabled. (but with retina scans 👁️ for extra protection)

This was a woeful day for Lily as her colleague, and long-time friend John Krasinski was resigning from the Lumina family. Lily de-provision John from the Lumina system with a heavy heart. Despite John’s departure, Lily was excited about the first day of Melissa as she was provisioning the new intern writer to the Lumina system.

User Provision — also known as user onboarding, is the process of creating and granting access to digital resources for new users within an organization.

User De-Provision — also known as user offboarding, is the process of revoking access and removing user accounts and associated privileges when a user leaves the organization or no longer requires access to specific resources.

Since Melissa was an intern, like all the interns she only had access to draft stories. Once her story is drafted, it will go through a chain of junior and senior writers in order for that to be published in the magazine. First, her direct junior writer modifies and amends her story keeping the essence of the writing. Then it is passed to the senior writer for approval. Upon successful approval, the story would be passed to the board of editors and the chief editor. In spite of how busy Lily is, she always makes sure to check the stories personally.

This is Role Based Access Control (RBAC).

Roles: Intern, Junior Writer, Senior Writer, Editor, Chief Editor, and CEO have different access levels and permission levels. In an IAM system, roles can be mapped into the structure of the organization.

There are 3 RBAC types.

1. Core RBAC — The overall organization implements core RBAC where photographers, writers, editors, and graphic designers have distinct access to resources and perform certain actions.

2. Hierarchical RBAC — Writers who comprise three roles as Interns, Junior, and Senior writers have a Hierarchical RBAC where senior writers include the access level of intern writers and junior writers.

3. Constrained RBAC —
i. Static Separation of Duty (SSD) — Ginny, a senior writer did some minor tweaks to Rose’s story and then passed it to another senior writer George for approval.
(A single user cannot hold mutually exclusive roles.)

ii. Dynamic Separation of Duty (DSD) — George who pre-approved Rose’s story is also an editor in the team Lumina. Yet, he is not allowed to approve Rose’s story at the editor level as he already approved it at the senior writer level.
(Though a user can be in conflicting user roles, they are not allowed to function in both roles at the same time.)

2 years ago on a dark Winter day, Lily lost her brother to mental health struggles. To help innocent souls like him, Lily onboarded “Lumina Life”, the mental health support system on par with the online magazine. The 24/7 call center of Lumina Life is always armed with certified psychologists and psychiatrists. Only certified psychiatrists are allowed to prescribe immediate medications to a patient who shows suicidal tendencies. Additionally, they are allowed to edit the personal file of the patient.

This is Attribute Based Access Control (ABAC)

ABAC is a more logical way of access control and it could be utilized in complex scenarios where RBAC does not cater to the requirements.

According to the above example, access is controlled as below.

Job description of the subject — Certified Psychiatrist
Accessible resources— Personal file of the patient
Allowed actions — Prescribe medications, and edit the personal file.

Adriana has been a part of the Lumina team for a decade. Even though she is a photographer she shows a great interest in publications as well. Every morning she checks the stories drafted by her colleagues. Since she has already logged in to Lumina Lens, the photography portal, she does not have to log in again to the writer system. (This amazes Adriana every single time 😲)

This is Single Sign On (SSO) — Allow users to log in to multiple applications/systems using a single ID.

This is possible due to the trust Lumina has placed in their Identity Provider (IdP, Authorization Server) WSO2 Identity Server.

WSO2 Identity Server (IS) has been a savior of Lumina for a few decades. IS verifies the identity of employees and customers (authentication) and manages who can access what (authorization).

In 2002, Lumina found itself in a critical situation within its organization when an employee managed to hack the chief editor’s account, gaining unauthorized access to sensitive corporate information, which was later exposed to the media. This incident had far-reaching negative consequences for the company. It was during this challenging period that Lily, Lumina’s CEO, realized the importance of seeking assistance from WSO2, a top-tier company specializing in IAM solutions.

Why IAM is so important?

It helps prevent problems like identity theft, data breaches, and unauthorized access within organizations. By using IAM tools, businesses can control who has access to what information, keeping sensitive data safe. It also makes it easier to manage user accounts and ensure that only the right people can access specific resources. Essentially, IAM keeps everything secure and running smoothly, protecting both the organization and its data from potential threats.

Lumina, along with Lumina Life and Lumina Lens, is trying to leave a positive mark on a retrogressive world. With the exceptional guidance of Lily Martinez, they have won the admiration of people across the globe. Apart from their significant social impact, they prioritize the safety and privacy of both their employees and customers which is made possible by the brilliant IAM solutions offered by WSO2.

Keep an eye out for upcoming articles, to discover more about WSO2 and their pioneering IAM solutions coupled with thorough explanations of IAM principles.